b'\x0c\x0cFederal Communications Commission\n     Office of Inspector General\n\n\n\n\nFY 2003 Follow-up on the Audit of Web\n          Presence Security\n\n\n\n\n        Audit Report No. 03-AUD-09-21\n               October 20, 2004\n\x0c                               TABLE OF CONTENTS\n\n                                                   Page\n\nEXECUTIVE SUMMARY                                    3\n\n\nBACKGROUND                                           5\n\n\nAUDIT OBJECTIVES                                     6\n\n\nSCOPE                                                6\n\n\nAUDIT OBSERVATIONS                                   8\n\n\nAPPENDIX A - Summary of Findings                   A-1\n\n\nAPPENDIX B - Detailed Findings & Observations      B-1\n\n\nAPPENDIX C - New Conditions                        C-1\n\n\nAPPENDIX D \xe2\x80\x93 Management Response                   D-1\n\n\n\n\n                                       2 of 10            2\n\x0c                           On June 13, 2001, the Federal Communications Commission (FCC or\n   EXECUTIVE               Commission) Office of Inspector General (OIG) issued Audit Report\n   SUMMARY                 No. 00-AUD-01-10, Audit of Web Presence Security. The report\n                           summarized the results of the audit of the FCC\xe2\x80\x99s program for\nmanaging its web presence. Web presence was defined as the infrastructures developed to\nmaintain the Commission\xe2\x80\x99s systems that allow the public to submit applications and/or filings\nvia the Internet. These infrastructures, managed by the Information Technology Center (ITC)\nand the Auctions Automation Branch of the Wireless Telecommunications Bureau (WTB),\nincluded all hardware, software, and network services that comprised the Commission\xe2\x80\x99s Internet\nentry and egress points.\n\nThe objective of the FY 2001 audit was to measure the Commission\xe2\x80\x99s success at securing its web\nportals. The audit concluded that the FCC had an active and generally effective program for\nmanaging web presence security. The report cited several positive computer security controls.\nHowever, 38 security findings, for which corrective actions were recommended, were also\nidentified. As of August 8, 2004, FCC management had reported on-going corrective actions for\n14 of the findings. Corrective actions for the remaining 24 were reported as completed.\n\nIn FY 2003, the OIG engaged KPMG LLP to perform a follow-up audit on the status of\ncorrective actions for findings identified by the original audit of the FCC\xe2\x80\x99s web presence\nsecurity. The scope of the follow-up audit included the respective web presence infrastructures\nmanaged by ITC and the Auctions Operations Branch. Follow-up was conducted on 37 of the 38\noriginal audit findings and specifically excluded devices and systems that support web services\nthat were located at the FCC\xe2\x80\x99s Consumer Center in Gettysburg, PA.\n\nThe objectives of the follow-up audit were to ensure that appropriate corrective actions have\nbeen implemented and test the current security posture of the FCC\xe2\x80\x99s web presence. To achieve\nour objectives, we conducted external penetration tests of select e-filing applications, including\nattempts to login to e-filing applications from the Internet. The audit team also used automated\ntools, conducted manual tests and other techniques, and interviewed personnel to determine the\nstatus of the original audit findings. Fieldwork was conducted at the FCC\xe2\x80\x99s Washington, DC\nPortals headquarters between the period of September 24, 2003 and June 18, 2004.\n\nThe Federal Information System Controls Manual (FISCAM) provided the framework for\nconducting this audit. In particular, Appendix III of the FISCAM, Tables for Summarizing Work\nPerformed in Evaluating and Testing General Controls, was referenced as guidance. Guidance\nwas also obtained from additional publications issued by the National Institute of Standards and\nTechnology (NIST), other laws and directives pertaining to the protection of Federal information\nresources, and Commission-specific guidance, including the FCC\xe2\x80\x99s \xe2\x80\x9cComputer Security Program\nDirective\xe2\x80\x9d (FCC Instruction 1479.2).\n\nAs in the original audit of the FCC\xe2\x80\x99s web presence security, we identified several positive\ncontrols during the FY 2003 follow-up fieldwork. However, the audit identified that corrective\nactions had not been fully implemented for all of the original audit findings. For the thirty-seven\n(37) findings followed up on, twenty-eight (28) were determined to have a closed status and nine\n\n\n                                              3 of 10\n\x0c(9) were identified as open. Of the nine (9) open findings, one (1) was classified as high risk. In\naddition, the follow-up audit disclosed five (5) new conditions. Of the five (5) new conditions,\none (1) was classified as high risk. This new high risk condition was corrected during the audit\nperiod.\n\nAs a result of our review of the status of follow-up audit findings, we specifically recommend\nthat ITC prioritize resources to make improvements in its patch management and intrusion\ndetection practices. These practices are a direct cause of several follow-up findings related to\nhardware/system software maintenance and audit trail controls. On-going weaknesses resulting\nfrom patch management and intrusion detection have been identified by several audits of FCC\nsecurity controls, including the original web presence audit, and are considered to be systemic in\nnature.\n\nAppendices A, B, and C to this report provide the details of follow-up observations noted during\nthe audit, the status of corrective actions, and new security weaknesses identified during this\nfollow-up review. Over the course of the audit, FCC management took proactive measures to\ninvestigate several findings identified as open and new and in some cases initiated steps to\ncorrect these issues. As applicable, we have noted such activities of corrective actions in our\nreport.\n\nPrior to issuing this report, we took steps to reach agreement with FCC management upon the\nfacts of the conditions identified in this report. During the audit and at the audit\xe2\x80\x99s Exit\nConference held on June 22, 2004, preliminary findings were presented to ITC and WTB\xe2\x80\x99s\nAuctions Operations Branch. The informal comments received by the audit team were\nconsidered during the preparation of this report, and incorporated as appropriate.\n\nOn August 31, 2004, we provided a draft report to the Office of Managing Director (OMD) and\nthe Wireless Telecommunication Bureau (WTB) for review and comments. In a response dated\nSeptember 29, 2004, OMD concurred with eight (8) of the findings. OMD indicated partial\nconcurrence with two (2) of the findings. For four (4) of the findings, OMD stated that\ncorrective action was taken before the end of audit fieldwork. OMD outlined the corrective\naction to be taken and a schedule for implementation of corrective action. We have included a\ncopy of the response in its entirety as Appendix D to this report.\n\nThis report contains non-public information. In accordance with the Commission\xe2\x80\x99s directive on\nthe Management of Non-Public Information (FCCINST 1139), we have classified all appendices\nas \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal Use Only.\xe2\x80\x9d Recipients of this report are expected to follow the\nestablished policies and procedures for managing and safeguarding the non-public information\ncontained in this report as outlined in FCCINST 1139.\n\n\n\n\n                                              4 of 10\n\x0c                                The Federal Communications Commission (FCC) Office of the\n   BACKGROUND                   Inspector General (OIG) is responsible for conducting audits and\ninvestigations of FCC operations and programs. The OIG provides leadership and recommends\npolicies for activities designed to prevent and detect fraud, waste, and abuse and to promote\neconomy, efficiency, and effectiveness of FCC programs and operations. Since its creation in\n1988, the OIG has performed numerous reviews, inspections, and audits to evaluate the\neffectiveness of controls designed to ensure the protection of Commission personnel and\nproperty. The FCC\xe2\x80\x99s OIG has performed several reviews evaluating the security of the\nCommission\xe2\x80\x99s Information Technology (IT) infrastructure as well as the physical security of the\nCommission\xe2\x80\x99s workspace.\n\nOn June 13, 2001, the OIG issued Audit Report No. 00-AUD-01-10, Audit of Web Presence\nSecurity. The report summarized the results of the audit of the Commission\xe2\x80\x99s program for\nmanaging its web presence. Web presence was defined as the infrastructures developed to\nmaintain the Commission\xe2\x80\x99s systems that allow the public to submit applications and/or filings\nvia the Internet. The infrastructures, managed by the Information Technology Center (ITC) and\nthe Auctions Automation Branch of the Wireless Telecommunications Bureau (WTB), included\nall hardware, software, and network services that comprised the Commission\xe2\x80\x99s Internet entry and\negress points.\n\nThe objective of the FY 2001 audit was to measure the Commission\xe2\x80\x99s success at securing its web\nportals. The audit concluded that the FCC had an active and generally effective program for\nmanaging web presence security. The report cited several positive computer security controls\nthat were designed to protect and preserve web-based assets. However, thirty-eight (38) security\nweaknesses related to host and network access, system software, service continuity, and\napplication software development controls were also identified. Six (6) of the findings were\ndesignated as high-risk, thirty-one (31) medium-risk, and one (1) low-risk. Corrective actions\nwere recommended for each.\n\nImplementation of corrective actions to Commission audit findings are reported to and tracked\nby the FCC\xe2\x80\x99s Performance Evaluation and Records Management (PERM) office. As of August\n8, 2003, corrective actions for fourteen (14) of the findings from the original web presence audit\nwere reported by FCC management as on-going and twenty-four (24) as completed. ITC\nreported that corrective actions were in progress for several findings that pertained to the FCC\nHQ Public DMZ. The Auctions Automation Branch had reported that all findings affecting the\nWTB Auctions DMZ had been resolved.\n\nIn FY 2003, the OIG engaged KPMG LLP to perform a follow-up audit on the status of\ncorrective actions for findings identified by the original FY 2001 web presence security audit.\nThe Federal Information System Controls Manual (FISCAM) provided the framework for\nconducting this audit. In particular, Appendix III of the FISCAM, Tables for Summarizing Work\nPerformed in Evaluating and Testing General Controls, was used as guidance where appropriate.\nGuidance was also obtained from additional publications issued by the National Institute of\nStandards and Technology (NIST), as well as the following laws and directives and\nCommission-specific guidance:\n\n\n                                              5 of 10\n\x0c   \xc2\x84   Presidential Decision Directive (PDD) 63, entitled \xe2\x80\x9cCritical Infrastructure Protection\xe2\x80\x9d\n   \xc2\x84   PDD-67, entitled \xe2\x80\x9cContinuity of Operations Planning (COOP)\xe2\x80\x9d\n   \xc2\x84   OMB Circular A-130, entitled \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d as\n       revised on November 30, 2000\n   \xc2\x84   FCC Instruction 1479.2, \xe2\x80\x9cComputer Security Program Directive\xe2\x80\x9d\n   \xc2\x84   FCC Performance Evaluation & Records Management (PERM) Audit Follow-up\n       Guidelines\n   \xc2\x84   NIST Self Assessment Guide, Special Publication 800-26\n\nOur procedures were designed to comply with applicable auditing standards and guidelines,\nspecifically the Generally Accepted Government Auditing Standards (GAGAS).\n\n\n    AUDIT                The objectives of the FY 2003 follow-up audit were to: (1) follow-up on\n                         specific observations identified in Audit Report No. 00-AUD-01-10 to\n  OBJECTIVES             ensure appropriate corrective actions had been implemented; and\n(2) perform tests on the information systems security posture of the web presence.\n\nTo achieve the follow-up audit objectives, the audit team conducted external penetration tests of\nselect e-filing applications, including attempts to login to e-filing applications from the Internet.\nThe audit team also used automated tools, conducted manual tests and other techniques, and\ninterviewed personnel to determine the status of the original audit findings and the security\nposture of the FCC\xe2\x80\x99s web presence infrastructure\n\n\n SCOPE          The scope of the follow-up audit included the FCC HQ Public DMZ and WTB\n                Auctions DMZ respectively managed by ITC and the Auctions Operations\nBranch. Follow up was conducted on corrective actions for thirty-seven (37) of the thirty-eight\n(38) original audit findings from Audit Report No. 00-AUD-01-10, Report on Web Presence\nSecurity. Specifically excluded were devices and systems supporting web services that were\nlocated at the FCC\xe2\x80\x99s Consumer Center in Gettysburg, PA. E-filing systems that were included in\nexternal penetration tests were the Commission\xe2\x80\x99s Registration System (CORES), the\nInternational Bureau Filing System (IBFS), the Consolidated Database System (CDBS), the\nEnforcement Bureau Filing System (EBFS), and the Electronic Tariff Filing System (ETFS).\nAudit fieldwork was conducted at the FCC\xe2\x80\x99s Washington, DC Portals headquarters between the\nperiod of September 24, 2003 and June 18, 2004.\n\nFollow-up audit findings have been organized according to the NIST control areas of\nmanagement controls, operational controls, and technical controls. The control areas are defined\nbelow and the specific control techniques addressed by each are outlined.\n\n   Management Controls \xe2\x80\x93 Management controls focus on the management of the IT security\n   system and the management of risk for a system. They are techniques and concerns that are\n   normally addressed by management. The specific management control objectives addressed\n\n\n                                               6 of 10\n\x0c   were:\n\n   \xe2\x80\xa2    Risk Management\n   \xe2\x80\xa2    Review of Security Controls\n   \xe2\x80\xa2    Life Cycle\n   \xe2\x80\xa2    Authorize Processing (Certification and Accreditation)\n   \xe2\x80\xa2    System Security Plan\n\n   Operational Controls \xe2\x80\x93 Operational controls address security methods focusing on\n   mechanisms primarily implemented and executed by people (as opposed to systems). These\n   controls are put in place to improve the security of a particular system (or group of systems).\n   They often require technical or specialized expertise and often rely upon management\n   activities as well as technical controls. The specific operational control objectives addressed\n   were:\n\n   \xe2\x80\xa2    Personnel Security\n   \xe2\x80\xa2    Physical and Environmental Protection\n   \xe2\x80\xa2    Production, Input/Output Controls\n   \xe2\x80\xa2    Contingency Planning\n   \xe2\x80\xa2    Hardware and System Software Maintenance\n   \xe2\x80\xa2    Data Integrity\n   \xe2\x80\xa2    Documentation\n   \xe2\x80\xa2    Security Awareness, Training and Education\n   \xe2\x80\xa2    Incident Response Capability\n\n   Technical Controls - Technical controls focus on security controls that the computer system\n   executes. The controls can provide automated protection for unauthorized access or misuse,\n   facilitate detection of security violations, and support security requirements for applications\n   and data. The specific technical operational control objectives addressed were:\n\n   \xe2\x80\xa2    Identification and Authentication\n   \xe2\x80\xa2    Audit Trails\n   \xe2\x80\xa2    Logical Access Controls\n\nNew findings that resulted from the audit have been further categorized by risk ratings of \xe2\x80\x98High\xe2\x80\x99,\n\xe2\x80\x98Medium\xe2\x80\x99, or \xe2\x80\x98Low\xe2\x80\x99. In assigning ratings, we considered whether each condition, if exploited,\ncould result in misuse or loss of FCC data, as well as the potential degree of exposure to the\nCommission. Risk categories are defined below:\n\n       High Risk:               A security risk which can cause a business disruption, if\n                                exploited. The identified condition presents a level of risk that\n                                requires immediate and appropriate redress by FCC\n                                management. To not do so, would have the potential effect of\n\n\n\n                                             7 of 10\n\x0c                                increasing the risks of unnecessary system downtime, misuse and\n                                destruction/exposure of critical FCC data.\n\n       Medium Risk:             A security risk in conjunction with other events, which can cause\n                                a business disruption, if exploited. It is important for FCC\n                                management to take appropriate corrective action on these\n                                medium-risk security control conditions in order to protect the\n                                integrity, availability, and confidentiality of FCC data.\n\n       Low Risk:                Security risk may cause operational annoyances, if exploited.\n\n\n\n         AUDIT              During the FY 2003 follow-up audit we identified the following\n OBSERVATIONS               positive security controls in the FCC\xe2\x80\x99s HQ Public DMZ, which is\n                            managed by ITC:\n\n   \xc2\x84    Remote access to devices within the DMZ were tightly controlled;\n   \xc2\x84    The use of generic and group accounts was effectively managed; and\n   \xc2\x84    Administrative access was appropriately controlled and monitored through logging\n        mechanisms.\n\nWe also identified that the WTB\xe2\x80\x99s Auctions Operations Branch had implemented the following\npositive security controls within the WTB Auctions DMZ:\n\n   \xc2\x84    A robust intrusion detection system (IDS);\n   \xc2\x84    Strong management of user accounts and passwords on hosts that were tested; and\n   \xc2\x84    Appropriate control and monitoring of administrative access through logging\n        mechanisms.\n\nWhile positive security controls were noted, the audit identified that corrective actions had not\nbeen fully implemented for all of the original audit findings. For the thirty-seven (37) findings\nfollowed up on, twenty-eight (28) were determined to have a closed status and nine (9) were\nidentified as open. Of the nine (9) open findings, one (1) was classified as high risk. These open\nfindings are related to hardware/system software maintenance, logical access, identification and\nauthentication, and audit trails. ITC has been noted as having sole responsibility over seven (7)\nof the open findings applicable to the FCC HQ Public DMZ identified by the original report.\nThe responsibility for the eighth finding in the FCC HQ Public DMZ is shared by ITC, the\nFinancial Systems Operations Group, and the International Bureau. The ninth finding noted as\nopen during fieldwork was applicable to the WTB Auctions DMZ. This finding was corrected\nby the Auctions Operations Branch during follow-up audit fieldwork and is noted in this report\nas closed.\n\nThe audit identified that eight (8) of the original nine (9) audit findings determined to be open\nduring our follow-up audit had been reported to PERM as closed by FCC management prior to\n\n\n                                              8 of 10\n\x0cthe audit. From our review, we were able to ascertain that some of these conditions may have re-\nopened for reasons including the degradation of security controls after the initial corrective\naction was taken, introduction of new hardware which may not have been properly configured,\nor subsequent changes made by personnel with administrative and maintenance duties.\n\nFive (5) new conditions in the areas of operational and technical controls were also identified.\nThese findings are related to hardware/system software maintenance and logical access controls.\nOf the new control weaknesses identified, one (1) has been classified as high risk, two (2) as\nmedium risk, and two (2) as low risk. This new high risk condition was corrected during the\naudit period.\n\nAs a result of follow-up audit findings, we specifically recommend that ITC prioritize resources\nto make improvements in its patch management and intrusion detection practices. Patch\nmanagement and intrusion detection are among an entity\xe2\x80\x99s first line of defense against IT\nsecurity threats and attacks. On-going weaknesses in these areas have been identified by several\naudits of FCC security controls, including the original web presence audit, and are considered to\nbe systemic in nature. Patch management practices can be directly linked to several of the\nfollow-up audit findings related to hardware/system software maintenance controls, including\ntwo (2) of the new findings. The FCC ITC\xe2\x80\x99s lack of strong controls surrounding the\nmanagement and monitoring of the intrusion detection system is a cause of follow-up audit\nfindings related to audit trail controls.\n\nOver the course of the audit, FCC management took proactive measures to investigate several\nconditions identified as open and new. In some cases steps were initiated to fully implement\ncorrective actions and resolve the findings noted. As applicable, we have identified these\nactivities of corrective actions in our report.\n\nPrior to issuing this report, we took steps to reach agreement with FCC management upon the\nfacts of the conditions identified in this report. Over the course of the audit and at the audit\xe2\x80\x99s\nExit Conference held on June 22, 2004, preliminary findings were presented to ITC and the\nAuctions Operations Branch. The informal comments received from each entity were considered\nduring the preparation of this report, and incorporated as appropriate.\n\n  Appendix A of this report is a Summary of Findings and provides a summary of all open and\nnew conditions identified during fieldwork. Appendix B to the report, Detailed Findings and\nObservations, provides detailed information on the 37 follow-up observations included in the\nscope of this audit and the corrective status of each as noted during fieldwork. This appendix\nwas prepared by adding additional fields to the Detailed Findings and Recommendations report\nissued by Audit Report No. 00-AUD-01-10. The added fields indicate (1) the status of\nconditions as reported by FCC management to PERM prior to the audit, (2) observations from\nthe follow-up audit, (3) the status of the conditions as determined by the auditor, and (4) the FCC\nentity responsible for open findings. Appendix C, New Conditions \xe2\x80\x93 Detailed Findings and\nRecommendations, provides the details of the new conditions identified.\n\nOn August 31, 2004, we provided a draft report to the Office of Managing Director (OMD) and\n\n\n                                              9 of 10\n\x0cthe Wireless Telecommunication Bureau (WTB) for review and comments. In a response dated\nSeptember 29, 2004, OMD concurred with eight (8) of the findings. OMD indicated partial\nconcurrence with two (2) of the findings. For four (4) of the findings, OMD stated that\ncorrective action was taken before the end of audit fieldwork. OMD outlined the corrective\naction to be taken and a schedule for implementation of corrective action. We have included a\ncopy of the response in its entirety as Appendix D to this report.\n\nThis report contains non-public information. In accordance with the Commission\xe2\x80\x99s directive on\nthe Management of Non-Public Information (FCCINST 1139), we have classified all appendices\nas \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal Use Only.\xe2\x80\x9d Recipients of this report are expected to follow the\nestablished policies and procedures for managing and safeguarding the non-public information\ncontained in this report as outlined in FCCINST 1139.\n\n\n\n\n                                           10 of 10\n\x0c'